Back to skill

Security audit

NavClaw

Security checks across malware telemetry and agentic risk

Overview

NavClaw appears to be a real navigation skill, but it needs review because it stores secrets and detailed trip data locally and can automatically send route results and logs to Mattermost when configured.

Install only if you are comfortable with an agent handling Amap keys, optional Mattermost bot tokens, home/default destinations, exact route data, and trip logs. Prefer local output with --no-send, use a low-privilege Mattermost bot and private channel if enabling posting, avoid storing secrets in long-term memory, and review or delete generated logs after private trips.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (35)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares only navigation functionality, but the documentation clearly describes filesystem writes and outbound network actions, including posting to Mattermost and uploading files. Undeclared write/network capabilities reduce transparency and consent, and can expose route data, logs, or credentials through unexpected side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose is route planning and deep-link generation, but the documented behavior expands into persistent logging, chat-platform posting, and file uploads. This mismatch is dangerous because users and host systems may authorize a navigation skill without realizing it can exfiltrate route details and logs to third-party services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README explicitly instructs the agent to install the skill, modify long-term memory, copy configuration files, and write credentials into local files. That expands the skill from route planning into host-side configuration and persistence changes, which can be abused to gain durable execution behavior or alter agent state beyond the user’s immediate request.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The instructions tell the agent to search memory for a previously supplied Amap API key and then write the secret into config.py. Reusing stored secrets beyond the immediate interaction broadens access to sensitive data and creates unnecessary persistence for a skill whose core job is only route computation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Built-in chat posting and file-upload behavior to Mattermost goes beyond the justified scope of generating routes and links. That expansion increases the attack surface and creates a path for route data or logs to be sent to external systems without strong necessity for the core navigation task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to look up a previously provided Amap API key from memory and to place secrets into a local config file. That expands the skill from route planning into credential retrieval and persistence, creating unnecessary secret-handling risk and violating least-privilege expectations for a navigation tool.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The built-in Mattermost messaging and file upload behavior broadens the skill's scope beyond route generation into external posting and file transfer. This increases the attack surface because generated content and logs may be transmitted to third-party systems automatically, potentially exposing sensitive location or diagnostic data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installation guidance asks the agent to obtain Mattermost bot credentials from memory or the user and write them into config.py. This is credential-management behavior unrelated to core navigation and creates risk of secret collection, retention, and accidental disclosure from plaintext configuration files.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The documentation exposes an undisclosed Mattermost integration in a skill presented as navigation/deep-linking only. Hidden or undocumented outbound messaging expands the trust boundary and could send route queries, locations, or logs to a chat server, which is a privacy and data-leak risk even if not overtly malicious.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
For a route-planning skill, bot-based messaging to Mattermost is not obviously necessary and creates an unnecessary exfiltration channel. In this context, origin/destination addresses, route choices, timestamps, and logs may contain sensitive location information, so the mismatch between stated purpose and capability makes the feature more dangerous.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill persists detailed travel logs containing origin and destination names, exact coordinates, timestamps, route characteristics, and generated navigation data to local markdown files. This creates a privacy and surveillance risk because sensitive location history is stored by default without explicit user consent, minimization, retention limits, or protection, and any local compromise or shared environment could expose a user's movements.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The wrapper's documented/default behavior includes sending route results and generated log files to Mattermost, which expands data handling beyond the stated navigation/deep-link purpose. This is dangerous because route queries and logs can contain sensitive location or user context, and the transmission is enabled by default rather than being a narrowly scoped, explicit opt-in feature.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code implements outbound chat posting and file upload capabilities that are not necessary for core route planning and can exfiltrate route data or local logs to an external collaboration platform. In this skill context, unsolicited messaging is more dangerous because users expect navigation output, not secondary distribution of their travel details to third-party channels.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase is broad enough that an agent may auto-run the skill on natural language resembling travel discussion without a clear confirmation step. In an agent environment, ambiguous triggers can cause unintended tool execution, external API calls, and data disclosure based on conversational context rather than explicit consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The long-term memory template defines an automatic execution rule for phrases like 'from X to Y navigate' without clear exclusions or confirmation requirements. Persisting this behavior in memory makes accidental invocation more dangerous because it survives the current session and affects future interactions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README describes using external services for routing and optionally sending results through chat-platform integrations, but it does not present a clear user-facing privacy warning or consent flow. Route requests can contain sensitive origin, destination, home references, and platform metadata, so silent transmission creates privacy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs the agent or user to place an Amap API key into config.py and even to have the agent retrieve and write it from memory, but it does not warn that this is a secret requiring restricted storage and access controls. In an agent setting, encouraging credential persistence in plaintext config files and memory increases the chance of accidental disclosure through logs, repository sync, workspace sharing, or later prompt-driven exfiltration.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README advertises Mattermost delivery of navigation results without clearly warning that origin, destination, route options, and timing data may be sent to an external chat platform. Trip data is sensitive location information, and silent forwarding to a third-party or organizational messaging service can create privacy and data-governance risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation directs users or agents to place API keys into config.py without any warning about secure secret handling. Storing credentials in source-like configuration files increases the risk of accidental disclosure through logs, backups, version control, or later file reads by other components.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes automatically sending route results and log attachments to Mattermost but does not warn that this transmits user travel data and local logs to an external service. Route origins, destinations, and log metadata can be privacy-sensitive, making silent transmission risky even if the feature is operationally useful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions ask for Mattermost bot credentials to be written into config.py with no explicit secret-handling safeguards. Bot tokens can enable broader messaging or file-upload actions in a workspace, so insecure storage materially raises the risk of credential theft and unauthorized posting.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes retrieving and storing API credentials in config.py without any clear warning about plaintext secret storage, reuse from memory, or exposure risks. In practice, this can lead users or agents to persist secrets insecurely and normalize unsafe credential handling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Mattermost setup instructions direct users to place bot token values in config.py but do not provide an explicit warning about the sensitivity of those tokens or the risk of exposing them through logs, repos, or backups. That omission makes insecure secret handling more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-supplied addresses and resolved coordinates to Amap geocoding and routing endpoints, exposing sensitive location data to an external third party. In a navigation context some transmission is expected, but the danger remains because the code does not present a clear consent flow, warning, or data-handling notice before transmitting potentially home/work locations off-device.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The route log writer stores exact origin/destination coordinates, trip metadata, timestamps, route comparisons, and full execution logs to disk without explicit warning or consent. In the context of a driving/navigation skill, this is particularly sensitive because it can reveal a user's home, commute patterns, travel schedule, and other location intelligence long after the session ends.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.